Building Infrastructure you can (mostly) trust

Transcript

1. Building Infrastructure you can (mostly) trust.

2. TEMP HUM NOISE LUX PAX GATEWAY 1 IN OUT GATEWAY

   2 IN OUT GATEWAY N IN OUT CLOUD INTERNAL

3. DEADLINE: TBD :) * improve code TO DO

4. Deployment Guide: SQL Server rev. 12 DEADLINE: ASAP * SQL

   Server (HA) :( TO DO 1 / 23

5. Deploy for upcoming Exposition? S. Miller to: me, A. Chyornyj

6. TERMINAL > terraform plan -out="iot.tfplan" Plan: 8 to add, 0

   to change, 0 to destroy. ──────────────────────────────────────── Saved the plan to: iot.tfplan Run the following command to apply: terraform apply "iot.tfplan"

7. Out-Group external partners General Public OSS contributions You In-Group associated

   teams, rest of organization Neighbours direct teammates

8. 01 Works On My Machine Trusting Yourself

9. CODE EDITOR resource "yandex_compute_instance" "exposition" { name = "vdnkh-1" platform_id

   = "standard-v1" zone = var.yandex_zone resources { cores = 20 memory = 48 } boot_disk { auto_delete = true initialize_params { image_id = data.yandex_compute_image.ubuntu.image_id } } !!" Trustable Code

10. TERMINAL > git log -1 commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !# main)

    Author: Kerim Satirli <[email protected]> Date: Tue Nov 9 09:41:00 2021 +0200 linting Trustable Code

11. TERMINAL > git log !$show-signature -1 commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !#

    main) gpg: Signature made Tue Nov 9 09:41:00 2021 gpg: using RSA key DAC9F8147655C16210FC5BA84E06DF3A215B79A8 gpg: Good signature "[email protected]" Author: Kerim Satirli <[email protected]> Date: Tue Nov 9 09:41:00 2021 +0200 linting Trustable Code

12. github.com/operatehappy/packer-hashicorp Trustable Code

13. TERMINAL > terraform validate │ │ Error: Reference to undeclared

    input variable │ │ on compute.tf line 5 │ in resource "yandex_compute_instance" "exposition": │ │ 5: zone = var.yandex_zon │ │ An input variable with the name "yandex_zon" has not been │ declared. │ │ Did you mean "yandex_zone"? │ Validation (basic)

14. TERMINAL > pre-commit run !$all-files Check for added large files............................Passed

    Check for case conflicts...............................Passed Check for merge conflicts..............................Passed Terraform fmt..........................................Passed Terraform validate.....................................Passed Validation (basic)

15. TERMINAL > tflint Validation (advanced) 1 issue(s) found: Notice: resource

    name `exposition-test` must match the following format: snake_case (terraform_naming_convention) on compute.tf line 2: 2: resource "yandex_compute_instance" "exposition-test" { Reference: github.com/terraform-linters/tflint/blob/master/ docs/rules/terraform_naming_convention.md

16. CODE EDITOR Version Pinning terraform { required_providers { yandex =

    { source = "yandex-cloud/yandex" version = "0.66.0" } } required_version = "1.0.10" }

17. CODE EDITOR Version Pinning terraform { required_providers { yandex =

    { source = "yandex-cloud/yandex" version = "0.66.0" } } required_version = "1.0.10" }

18. Compatibility Promises https://www.terraform.io/docs/language

    Learn more about the <a href="https://www.terraform.io/docs/language/v1-compatibility-promises.html">Terraform 1.0 Compatibility Promises</a>.

19. TERMINAL > terraform init Initializing provider plugins!!" - Finding yandex-cloud/yandex

    versions matching "0.66.0"!!" - Installing yandex-cloud/yandex v0.66.0!!" - Installed yandex-cloud/yandex v0.66.0 (key ID E40F590B50BB8E40) Version Pinning

20. CODE EDITOR Version Pinning providers "registry.terraform.io/yandex-cloud/yandex" { version = "0.66.0"

    constrains = "0.66.0" hashes = [ "h1:oThGd+Ls!!"84poGbY=", "zh:2eb19ceb!!"bc734a96", "zh:3f094b5b!!"3647a69d", "zh:43f1c9f0!!"996adb2c", "zh:44ca4c74!!"928943c9", "zh:609f33ad!!"9f1592ce", "zh:6da9c95b!!"1d179d88", "zh:6deacbba!!"bc2031a1", "zh:77283a62!!"60a436da", "zh:8a12d8cb!!"a683aa4c", "zh:9c91491d!!"2d40e0fc", "zh:b3b37f83!!"4ca284fd", "zh:dc8cd0d2!!"fff4016f", "zh:e298c674!!"f5e72b26", ] }

21. ▪ formatting ▪ linting ▪ version pinning Works On My

    Machine

22. 02 Architecture to form Trust Relationships Trusting Your Team

23. CODE EDITOR variable "yandex_token" { type = string sensitive =

    true description = "IAM token for authentication." }

24. CODE EDITOR # see registry.terraform.io/providers/yandex-cloud/yandex/latest/docs#zone variable "yandex_zone" { type =

    string default = "ru-1c" # see cloud.yandex.com/en/docs/overview/concepts/geo-scope validation { condition = contains(["ru-1a", "ru-1c"], var.yandex_zone) error_message = "Value must be one of `ru-1a` or `ru-1c`." } }

25. CODE EDITOR Output output "console_compute_instances_overview" { description = "URL for

    Compute Overview." value = "console.cloud.yandex.com/!!"" } output "yandex_folder_id" { description = "Yandex.Cloud Folder ID." sensitive = true value = var.yandex_folder_id }

26. TERMINAL > terraform plan Terraform will perform the following actions:

    # yandex_compute_disk.os_disk will be created + resource "yandex_compute_disk" "os_disk" {} # yandex_compute_disk.data_disk will be created + resource "yandex_compute_disk" "data_disk" {} # yandex_compute_instance.main will be created + resource "yandex_compute_instance" "main" {} # yandex_dns_zone.main will be created + resource "yandex_dns_zone" "main" {} Codify Patterns

27. Codify Patterns https://github.com/im2nguyen/rover

28. Minimally Viable Pattern Networking Module ▪ Resources – vpc_network –

    vpc_subnet(s) – vpc_security_group ▪ Inputs / Outputs – var.cidr_range – dns_zone – iam_service_account Compute Module ▪ Resources – compute_instance – compute_disk(s) – dns_recordset(s) ▪ Inputs / Outputs – vpc_subnet – dns_zone – iam_service_account IAM Module ▪ Resources – resourcemanager_folder – iam_* ▪ Inputs / Outputs – var.zone – var.folder_id – iam_service_account

29. TERMINAL > cd module-example !& tree ├── examples ├── CHANGELOG.md

    ├── LICENSE ├── README.md ├── main.tf ├── output.tf ├── terraform.tf └── variables.tf Module Structure

30. CODE EDITOR resource "yandex_compute_instance" "exposition" { name = "vdnkh-1" platform_id

    = "standard-v1" zone = var.yandex_zone !!" } moved { from = yandex_compute_instance.exposition to = yandex_compute_instance.main } Config-driven Move (Terraform 1.1)

31. CODE EDITOR Module Defaults module "website" { source = "vdnkh/website/yandex"

    version = "1.0.0" folder_id = var.yandex_folder_id zone = var.yandex_zone }

32. CODE EDITOR Protecting Secrets provider "yandex" { token = var.yandex_token

    cloud_id = var.yandex_cloud_id folder_id = var.yandex_folder_id zone = var.yandex_zone }

33. CODE EDITOR Protecting Secrets variable "yandex_token" { type = string

    sensitive = true description = "IAM token for authentication." } output "var.yandex_folder_id" { description = "Yandex.Cloud Folder ID." sensitive = true value = var.yandex_folder_id }

34. TERMINAL > terraform-docs . README.md updated successfully Generated Docs

35. Generated Docs git.io/JX2mP

36. TEMP HUM NOISE LUX PAX GATEWAY 1 IN OUT GATEWAY

    2 IN OUT QUARANTINE CLOUD GATEWAY N IN OUT INTERNAL

37. ▪ validate your inputs ▪ over-document everything ▪ modularize with

    minimalism in mind Trust Relationships

38. ▪ slides: ▪ code: Resources speakerdeck.com/ksatirli/building-infrastructure-you-can-mostly-trust github.com/ksatirli/building-infrastructure-you-can-mostly-trust

    Find more resources on <a href="https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust">github.com/ksatirli/building-infrastructure-you-can-mostly-trust</a>.

39. Sr. Developer Advocate at HashiCorp he/him @ksatirli Kerim Satirli

    Find me on <a href="https://twitter.com/ksatirli">twitter.com/ksatirli</a>.

40. Thank You @ksatirli [email protected]